In essence, a context-based access system dynamically adjusts a person’s access rights to an enterprise network based on the device used and where that access is being initiated from.
For example, a person accessing a corporate network from a corporate-owned PC located in corporate office space is likely to have full role-based access to that network and the data/information held within it. But should that person be using a personally owned smartphone from a commercial coffee shop, a context-based access solution would likely restrict access to email only.
If the smartphone were equipped with one of the newer sandbox technologies (corporate use is sandboxed from private use), however, and access were from the person’s home, then a context-based access solution might offer the user a much richer view of the corporate network and services.
One of the barriers to the take-up of context-based access has been a lack of granularity – by device only, for example, or the need to configure a solution for each user (a person’s home network details and/or details of a person’s device).
Another barrier has been existing practice, for example allowing personally owned devices to access email with no regard to location other than company policy. Or the equipping of staff with company laptops equipped with a secure tunnel mechanism to connect to the corporate network (virtual private network client or HTTPS web access with client-side X.509 certificates) supported with user procedures to govern where a device can be used.
Read more on context-aware security
With the emergence of sandbox applications that keep corporate data and applications separate from personal data and applications, the doors open to a much freer use of bring your own device (BYOD).
Such applications, coupled with company policies governing where a device can be used, will further affect the take-up of current context-based access technologies.
Only when the body corporate decides that the current access mechanisms do not offer sufficient granularity of control will the situation change – for example, giving a user a richer corporate access when using BYOD at home than when used out in the street or from a hotel room.
The driver to such decisions will need to be risk-based, taking into account the degree of mitigation that can be offered by various context-based access solutions and sandboxing technologies.
Is the body corporate ready to fully engage in risk assessment of their data and information?
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
This was first published in March 2014